anastig
StudioDemoSolutionsLearnSecurityPricingContact
Sign inRequest access
Legal

Privacy Policy

Version 2026-05-29 · effective May 29, 2026

Operational draft pending legal review. This document is real and governs current product behaviour, but the wording may be tightened by counsel before launch.

This policy describes how Anastig collects, uses, and protects information about account holders, the workspaces they create, and visitors to the public site.

1. What we collect

  • Account data: email, name, hashed password, MFA status, organization name, country, industry, intended use, role, language preference.
  • Workspace data: projects, images, labels, models, exports, members, audit events.
  • Technical data: user agent summary, coarse IP-derived country, request timestamps, error fingerprints, browser device class.
  • Usage data: which features you use, throttle counters, security events (failed logins, throttle hits, account changes).
  • Consent records: the version of the Terms, Privacy Policy, and Acceptable Use Policy you accepted, and when.

We do not knowingly collect precise GPS, payment-card numbers, government IDs, biometric identifiers, or special-category personal data. The contact form is optional.

2. Email verification

We send a confirmation email to every new account from [email protected]. The link contains a single-use verification token. Only the cryptographic hash of the token is stored. The link expires 60 minutes after we issue it.

3. Cookies and session

We use a first-party, HTTP-only session cookie for authentication and CSRF protection. We do not use third-party advertising cookies. Non-essential analytics cookies are off by default and only enabled if you opt in.

4. Service providers we rely on

We share the minimum data each provider needs to function. We do not sell personal information.

5. How long we keep it

  • Active account data is kept while your account is active.
  • Security event logs are retained for up to 24 months for incident response and audit.
  • Email verification and password-reset tokens are deleted after use or 60 minutes.
  • If you delete your account, we plan to keep the account in a frozen, isolated state for a 30-day recovery window, followed by up to 90 days of internal retention for legal/security purposes, before anonymization or deletion. Deactivation / deletion / recovery flows are partially implemented and will be completed in a follow-up release.

6. Your rights

You can access, correct, or delete your account data by writing to [email protected]. For data-protection-specific requests (export, restriction, objection), the same address routes to a human reviewer.

7. Security

Transport is encrypted (HTTPS). Passwords are hashed by Django's configured hasher. MFA secrets are encrypted at rest. Verification and reset tokens are stored as SHA-256 hashes only. Sensitive administrative actions are gated, audited, and require a reason string of record.

8. International transfers

We may process data outside your country to deliver the service. Where required, we rely on standard contractual clauses or equivalent safeguards. Operational draft pending legal review.

9. Changes

We will publish updates here with a new version date. Material changes will be highlighted in the app and emailed to active accounts before they take effect.

10. Contact

Privacy questions: [email protected]. Technical / product: [email protected].